<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/read-cache.c, branch v2.15.2</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.15.2</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.15.2'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2018-05-22T05:15:14Z</updated>
<entry>
<title>Sync with Git 2.14.4</title>
<updated>2018-05-22T05:15:14Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2018-05-22T05:15:14Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=9e0f06d55df5855178ff41342937943604f6e97c'/>
<id>urn:sha1:9e0f06d55df5855178ff41342937943604f6e97c</id>
<content type='text'>
* maint-2.14:
  Git 2.14.4
  Git 2.13.7
  verify_path: disallow symlinks in .gitmodules
  update-index: stat updated files earlier
  verify_dotfile: mention case-insensitivity in comment
  verify_path: drop clever fallthrough
  skip_prefix: add case-insensitive variant
  is_{hfs,ntfs}_dotgitmodules: add tests
  is_ntfs_dotgit: match other .git files
  is_hfs_dotgit: match other .git files
  is_ntfs_dotgit: use a size_t for traversing string
  submodule-config: verify submodule names as paths
</content>
</entry>
<entry>
<title>Sync with Git 2.13.7</title>
<updated>2018-05-22T05:10:49Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2018-05-22T05:10:49Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=7b01c71b64d25202d80b73cbd46104ebfddbdab3'/>
<id>urn:sha1:7b01c71b64d25202d80b73cbd46104ebfddbdab3</id>
<content type='text'>
* maint-2.13:
  Git 2.13.7
  verify_path: disallow symlinks in .gitmodules
  update-index: stat updated files earlier
  verify_dotfile: mention case-insensitivity in comment
  verify_path: drop clever fallthrough
  skip_prefix: add case-insensitive variant
  is_{hfs,ntfs}_dotgitmodules: add tests
  is_ntfs_dotgit: match other .git files
  is_hfs_dotgit: match other .git files
  is_ntfs_dotgit: use a size_t for traversing string
  submodule-config: verify submodule names as paths
</content>
</entry>
<entry>
<title>verify_path: disallow symlinks in .gitmodules</title>
<updated>2018-05-22T03:50:11Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2018-05-05T00:03:35Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=10ecfa76491e4923988337b2e2243b05376b40de'/>
<id>urn:sha1:10ecfa76491e4923988337b2e2243b05376b40de</id>
<content type='text'>
There are a few reasons it's not a good idea to make
.gitmodules a symlink, including:

  1. It won't be portable to systems without symlinks.

  2. It may behave inconsistently, since Git may look at
     this file in the index or a tree without bothering to
     resolve any symbolic links. We don't do this _yet_, but
     the config infrastructure is there and it's planned for
     the future.

With some clever code, we could make (2) work. And some
people may not care about (1) if they only work on one
platform. But there are a few security reasons to simply
disallow it:

  a. A symlinked .gitmodules file may circumvent any fsck
     checks of the content.

  b. Git may read and write from the on-disk file without
     sanity checking the symlink target. So for example, if
     you link ".gitmodules" to "../oops" and run "git
     submodule add", we'll write to the file "oops" outside
     the repository.

Again, both of those are problems that _could_ be solved
with sufficient code, but given the complications in (1) and
(2), we're better off just outlawing it explicitly.

Note the slightly tricky call to verify_path() in
update-index's update_one(). There we may not have a mode if
we're not updating from the filesystem (e.g., we might just
be removing the file). Passing "0" as the mode there works
fine; since it's not a symlink, we'll just skip the extra
checks.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
</content>
</entry>
<entry>
<title>verify_dotfile: mention case-insensitivity in comment</title>
<updated>2018-05-22T03:50:11Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2018-05-15T13:56:50Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=641084b618ddbe099f0992161988c3e479ae848b'/>
<id>urn:sha1:641084b618ddbe099f0992161988c3e479ae848b</id>
<content type='text'>
We're more restrictive than we need to be in matching ".GIT"
on case-sensitive filesystems; let's make a note that this
is intentional.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
</content>
</entry>
<entry>
<title>verify_path: drop clever fallthrough</title>
<updated>2018-05-22T03:50:11Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2018-05-13T17:00:23Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=e19e5e66d691bdeeeb5e0ed2ffcecdd7666b0d7b'/>
<id>urn:sha1:e19e5e66d691bdeeeb5e0ed2ffcecdd7666b0d7b</id>
<content type='text'>
We check ".git" and ".." in the same switch statement, and
fall through the cases to share the end-of-component check.
While this saves us a line or two, it makes modifying the
function much harder. Let's just write it out.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
</content>
</entry>
<entry>
<title>Merge branch 'jk/fallthrough'</title>
<updated>2017-09-28T05:47:53Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2017-09-28T05:47:53Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=59373a4e03e273841c6c3b7fc9ac29c0a3e90c6d'/>
<id>urn:sha1:59373a4e03e273841c6c3b7fc9ac29c0a3e90c6d</id>
<content type='text'>
Many codepaths have been updated to squelch -Wimplicit-fallthrough
warnings from Gcc 7 (which is a good code hygiene).

* jk/fallthrough:
  consistently use "fallthrough" comments in switches
  curl_trace(): eliminate switch fallthrough
  test-line-buffer: simplify command parsing
</content>
</entry>
<entry>
<title>Merge branch 'jk/write-in-full-fix'</title>
<updated>2017-09-25T06:24:06Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2017-09-25T06:24:06Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=c50424a6f07f17ff9b06927606df650cd73a09a3'/>
<id>urn:sha1:c50424a6f07f17ff9b06927606df650cd73a09a3</id>
<content type='text'>
Many codepaths did not diagnose write failures correctly when disks
go full, due to their misuse of write_in_full() helper function,
which have been corrected.

* jk/write-in-full-fix:
  read_pack_header: handle signed/unsigned comparison in read result
  config: flip return value of store_write_*()
  notes-merge: use ssize_t for write_in_full() return value
  pkt-line: check write_in_full() errors against "&lt; 0"
  convert less-trivial versions of "write_in_full() != len"
  avoid "write_in_full(fd, buf, len) != len" pattern
  get-tar-commit-id: check write_in_full() return against 0
  config: avoid "write_in_full(fd, buf, len) &lt; len" pattern
</content>
</entry>
<entry>
<title>Merge branch 'kw/write-index-reduce-alloc'</title>
<updated>2017-09-25T06:24:06Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2017-09-25T06:24:05Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=d085f9773a8f53a517a32f0c55a8c49a7cc773a1'/>
<id>urn:sha1:d085f9773a8f53a517a32f0c55a8c49a7cc773a1</id>
<content type='text'>
A hotfix to a topic already in 'master'.

* kw/write-index-reduce-alloc:
  read-cache: fix index corruption with index v4
  Add t/helper/test-write-cache to .gitignore
</content>
</entry>
<entry>
<title>consistently use "fallthrough" comments in switches</title>
<updated>2017-09-22T03:49:57Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2017-09-21T06:25:41Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=1cf01a34eaccd6da613dba82291666db237916ab'/>
<id>urn:sha1:1cf01a34eaccd6da613dba82291666db237916ab</id>
<content type='text'>
Gcc 7 adds -Wimplicit-fallthrough, which can warn when a
switch case falls through to the next case. The general idea
is that the compiler can't tell if this was intentional or
not, so you should annotate any intentional fall-throughs as
such, leaving it to complain about any unannotated ones.

There's a GNU __attribute__ which can be used for
annotation, but of course we'd have to #ifdef it away on
non-gcc compilers. Gcc will also recognize
specially-formatted comments, which matches our current
practice. Let's extend that practice to all of the
unannotated sites (which I did look over and verify that
they were behaving as intended).

Ideally in each case we'd actually give some reasons in the
comment about why we're falling through, or what we're
falling through to. And gcc does support that with
-Wimplicit-fallthrough=2, which relaxes the comment pattern
matching to anything that contains "fallthrough" (or a
variety of spelling variants). However, this isn't the
default for -Wimplicit-fallthrough, nor for -Wextra. In the
name of simplicity, it's probably better for us to support
the default level, which requires "fallthrough" to be the
only thing in the comment (modulo some window dressing like
"else" and some punctuation; see the gcc manual for the
complete set of patterns).

This patch suppresses all warnings due to
-Wimplicit-fallthrough. We might eventually want to add that
to the DEVELOPER Makefile knob, but we should probably wait
until gcc 7 is more widely adopted (since earlier versions
will complain about the unknown warning type).

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>avoid "write_in_full(fd, buf, len) != len" pattern</title>
<updated>2017-09-14T06:17:59Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2017-09-13T17:16:03Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=06f46f237afa823c0a2775e60ed8fbd80e7c751f'/>
<id>urn:sha1:06f46f237afa823c0a2775e60ed8fbd80e7c751f</id>
<content type='text'>
The return value of write_in_full() is either "-1", or the
requested number of bytes[1]. If we make a partial write
before seeing an error, we still return -1, not a partial
value. This goes back to f6aa66cb95 (write_in_full: really
write in full or return error on disk full., 2007-01-11).

So checking anything except "was the return value negative"
is pointless. And there are a couple of reasons not to do
so:

  1. It can do a funny signed/unsigned comparison. If your
     "len" is signed (e.g., a size_t) then the compiler will
     promote the "-1" to its unsigned variant.

     This works out for "!= len" (unless you really were
     trying to write the maximum size_t bytes), but is a
     bug if you check "&lt; len" (an example of which was fixed
     recently in config.c).

     We should avoid promoting the mental model that you
     need to check the length at all, so that new sites are
     not tempted to copy us.

  2. Checking for a negative value is shorter to type,
     especially when the length is an expression.

  3. Linus says so. In d34cf19b89 (Clean up write_in_full()
     users, 2007-01-11), right after the write_in_full()
     semantics were changed, he wrote:

       I really wish every "write_in_full()" user would just
       check against "&lt;0" now, but this fixes the nasty and
       stupid ones.

     Appeals to authority aside, this makes it clear that
     writing it this way does not have an intentional
     benefit. It's a historical curiosity that we never
     bothered to clean up (and which was undoubtedly
     cargo-culted into new sites).

So let's convert these obviously-correct cases (this
includes write_str_in_full(), which is just a wrapper for
write_in_full()).

[1] A careful reader may notice there is one way that
    write_in_full() can return a different value. If we ask
    write() to write N bytes and get a return value that is
    _larger_ than N, we could return a larger total. But
    besides the fact that this would imply a totally broken
    version of write(), it would already invoke undefined
    behavior. Our internal remaining counter is an unsigned
    size_t, which means that subtracting too many byte will
    wrap it around to a very large number. So we'll instantly
    begin reading off the end of the buffer, trying to write
    gigabytes (or petabytes) of data.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Reviewed-by: Jonathan Nieder &lt;jrnieder@gmail.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
</feed>
